How Chrome Short URLs Can Improve Your Security
Soon Google may truncate the full URL of the websites you visit. By showing only the website’s domain name in the address bar and not the full URL, Google’s move can really help people improve their web browsing security. And you can try this feature right now.
To get started, you need to download Chrome Dev or Chrome Canary for Windows or Mac, as this URL hiding feature is not yet present in the beta or stable channels of Chrome. After you start Chrome Canary, copy and paste it into the address bar and enable the flag:
chrome://flags/#omnibox-ui-hide-steady-state-url-path-query-and-ref
Restart your browser and load some websites. Once the pages are fully loaded, you should notice that the URL in Chrome’s address bar is compressed to the domain – and nothing else.
The URL is missing but not forgotten. Just click the address bar again to reload the full url, e.g .:
Click anywhere on the webpage you are viewing and the URL will go back to just the domain name.
While this sounds like a rather small change, it might be worth getting used to; It is my understanding that this may become the default option for Chrome in the future, although Google is still working to find out if this change is actually useful as a phishing protection.
But don’t worry. If you really prefer the old way of working, you can right-click on the address bar and select the new “Always show full URLs” option. This option is currently hidden behind the following flag in Chrome Canary:
chrome://flags/#omnibox-context-menu-show-full-urls
Isn’t it bad to hide the entire url?
Not really. In fact, this change is a good move, especially for those who are nowhere near as tech-savvy as you. Consider people who can click a link and land on a phishing site with an extremely complex URL. They may not even notice the URL in their address bar, as it is just a mixture of letters and numbers that has absolutely no meaning to them.
In contrast, if the URL was shortened to a domain, it might be more obvious to a person that they opened microsoft.hhr13231j.com instead of the Microsoft website.
As one Chromium developer writes :
We think this is an important area of concern because phishing and other forms of social engineering are still widespread on the web, and many studies show that current browser URL mapping patterns are not effective defenses. […] We are conducting this experiment to simplify domain mapping so that we can conduct qualitative and quantitative research to see if it helps users more accurately identify malicious websites. This means we will have research participants studying the prototype in lab / survey research, and we will also introduce it to a small percentage of real Chrome users to see if it helps protect them from phishing. If the results show that this simplified domain mapping does indeed help protect users from attacks, then we will make a decision on whether to send it to all users, balancing user feedback with security concerns. As noted above, users will have the option to individually opt-out if they feel it does not improve their security or usability.
I say let this change break. Since Google makes it very obvious to experienced users who want to complete the URL-address in the address bar, saw it as the default, do the transition from a certain address, the URL for a simple domain name after the page loads really ruin someone’s day? If it can help the less observant in the fight against phishing, I think it’s a great move.